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The present invention relates to a method of composing a VPN (Virtual 
Private Network) on the Internet and an interwork router used to connect 
Internet service providers to each other. 

Various applications such as E-mail and WWW (World Wide Web) 
15 programs can be used on any Internet Protocol (IP) networks. In addition, 
such IP networks can be composed at lower costs than the conventional 
switching networks that use are associated with telephones. This is why the 
Internet has rapidly come into wide use in recent years. Under such 
circumstances, intracompany networks (intranets) composed on the IP level 
20 are now indispensable for facilitating the activities of those companies. 

Companies are often distributed unevenly in local areas. In such a 
situation, therefore, there will appear a demand that the intranets in those 
local areas should be connected into one network as a logical consequence. 
In such a case, there are the following two methods possible for connecting * 
25 those intranets to each other in local areas. 

Firstly, private lines are used for connecting those intranets in local 
areas. In this case, each of those intranets can be isolated from external 
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networks for ensuring security. 

Secondly, the IPsec (IP security protocol) technique is used to provide 
each terminal with a function for identifying packets of its own company's 
network, so that those packets are transferred on the Internet as IP packets 
5 using global addresses. This identifying function, when combined with an 
encoding technique, can make up a Virtual Private Network (VPN) so as to be 
protected from the attacks of malicious users. 

If such private lines are used; however, some problems arise; for 
example, the network cost is increased, and furthermore, the VPN realized by 

■ 

10 the IPsec method cannot be protected from the attacks and invasions of 
malicious users who can crack the codes. In addition, the encoding 
processing becomes a bottleneck of increasing the speeds for fast networks 
and terminal costs are increased. 

Along with the rapid spread of the Internet, as well as the cost 

15 reduction of using the Internet, there have appeared strong demands for 

■ 

forming virtual private networks on the Internet using the functions of lower 
layers than the IP layer provided by networks, while suppressing the cost and 
isolating each of those virtual private networks from external networks so as 
to assure the security and quality thereof. 

20 In order to meet such demands, the following VPN is proposed. A 

packet is encapsulated at the inlet of the object network of an Internet Service 
Provider (ISP) that provides the VPN. On the ISP network, each packet is 
transferred according to the capsule header, then the capsule header is 
removed at the outlet of the network. According to this VPN composing 

25 method, since a packet is encapsulated peculiarly to the VPN, the VPN is 
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isolated from external networks, thereby assuring the security of the VPN. 
More concretely, for such an encapsulation protocol various methods are 
available, such as IP encapsulation, MPOA (Multi Protocol over ATM), MPLS 
(Multi Protocol Layer Switching), etc. Since February of 1999, those methods 
5 have been under examination in such standardization groups as ITU-T SG13 
(International Telecommunications Union-Telecommunications 
Standardization Section, Study Group 13), IETF (Internet Engineering Task 

Force), etc. In addition, ITU-T SG13 is also examining the Core Protocol of 
the Global Multi-media Network Connection Less (GMN-CL) for transferring 

» 

10 packets encapsulated according to E.164 addresses in the object network. 

"Access Network Systems and Edge Nodes Systems for the 
Next-Generation Computer Network", pp.425-434, NTT R&D vol.47 No.4, 
1998 (issued on April 10, 1998) has also proposed a method for composing 
an edge node in an accessing system used to interwork between each of a 

15 plurality of user networks and the core network in the GMN-CL. 

SUMMARY OF THE INVENTION 

In recent years, the areas of activities in companies have expanded 
more and more widely. For example, many Japanese companies have 
20 offices at overseas, including the United States of America and European 
countries. Under such circumstances, it would be natural for those 
companies to consider it important to connect the intranets composed in their 
offices to each other via a VPN. 

On the other hand, since each ISP generally provides the services only 
25 in a specific area, the VPN must be composed over a plurality of ISPs in order 
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to connect the networks (intranets) in those areas through the VPN. 

And, if a plurality of ISPs are connected to each other in such a way, 
an interwork gateway (interwork router) needs to be formed for such 
connection. In this interwork router, the interwork is realized so as to transfer 

5 each of the packets from one of the ISP networks to the other according to 
the IP header. In addition, a system referred to as an IX (Internet Exchange) 
is used for connecting both networks to each other so as to realize the 
interwork among a plurality of networks as described in "Commercial IX", 
pp. 146-155, Nikkei Communications 1997.12.15. And, this IX may also be 

10 used to transfer IP packets among those networks. Such an IX includes 
some methods that use a "layer 3 forwarding" function for identifying and 
transferring each of the IP packets, as well as a. "layer 2 forwarding" function 
for transferring each of the IP packets by identifying the header in the lower 
layer in the ATM.(Asynchronous Transfer Mode) communication system, etc. 

15 The present inventors have examined the problems which arise when 

a VPN is composed over a plurality of ISP networks. At first, packets are 
encapsulated in order to compose a VPN for the network of each Internet 
Service Provider. Generally, the encapsulation protocol of each network 
differs from other networks. In this case, the IP header information of each IP 

20 packet is retrieved by the interwork router, thereby determining the route to 
the destination. In this case, the retrieving must also include a check to 
determine whether or not the packet is to be transferred to another network. 
The IP header information is common for both of the networks. 

However, the interwork router terminates the protocol of each layer 

25 lower than the IP layer at the interface. Therefore, the capsule header given 



in the previous network so as to compose the VPN is removed in the process 
of retrieving the IP address, so that information as to the next leg of the route 
can be determined. After that, a new capsule header must be generated and 
added to the packet so as to compose the VPN in the next network. 

5 Consequently, packets in the VPN are mixed with packets in other networks 
in the interwork router. And, this might cause a problem that malicious users 
are able to change the headers to those packets and invade the VPN through 
the interwork router. 

Some companies do not use global addresses, but use private 

10 addresses for composing their VPNs. In such a case, once the interwork 
router removes the capsule header of a packet, the receiving ISP cannot 
distinguish the packet from others if the packet has the same address as 
those of other packets. This is because each of a plurality of VPNs use 
internal addresses uniquely. Consequently, the receiving ISP receiving 

15 cannot determine the destination of the packet. If a VPN is composed over a 
plurality of ISPs on the Internet, therefore, the problem as described above be 
solved by all means. 

In addition, the types of services are not the same among ISPs. As for 
the communication quality, for example, assume that one ISP uses an ATM 

20 VC (Virtual Channel) for forming a communication path, thereby assuring the 
quality of each VPN and the other ISP uses Diffserv (Differentiated Services) 
to assure the quality of the communication. If the VPNs composed for both 
networks are to be connected to each other in such a case, it will be difficult 
to provide the communication quality on an end-to-end level. 

25 As described above, it is difficult to compose a VPN over a plurality of 
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ISPs on the Internet for practical use. 

Under such circumstances, therefore, it is an object of the present ' 
invention to solve the above problems and provide a method of composing a 
VPN over a plurality of ISPs and provide an interwork router for connecting 
5 those ISPs to each other in such a VPN. 

In order to solve the above problems, the interwork router of the 

» 

present invention is provided with functions for determining the route to output 
packets and for generating a capsule header for each of those packets to be 
used in the next ISP network (in output side) from the information set both in 

10 the capsule header, which is a VPN identifier, and in the IP header of the 
packet. Hereunder, a more detailed description will be made of an example 
of how to connect a plurality of ISPs to each other. Each of those ISPs is 
used to operate an MPLS network that uses an ATM as a lower layer. More 
concretely, header information is added to each packet to be transferred to 

15 the next network. Such header information is generated when header 

information such as VPI, VCI, etc. (capsule headers) of the ATM are used to 
identify the VPS, as well as to determine the next route and identify the VPN 

» 

in the next network, which header information is generated with necessary 
data retrieved according to an IP address as a key. And, the header 
20 information is generated and transferred together with the packet to the next 
network. 

A VPN interwork can thus be realized, thereby enabling the VPN to be 
composed on the Internet in areas covering a plurality of ISPs. 

The value of the field that indicates the QoS in the capsule header on 
25 the input side is mapped on the value of the field that indicates the QoS in the 
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capsule header for the output side. Consequently, quality information of both 
networks composing a VPN can be transferred as is. 

BRIEF DESCRIPTION OF THE DRAWINGS 
5 Fig. 1 is a schematic diagram showing an example of the operation of 

an interwork router according to the present invention. 

Fig. 2 is a schematic diagram illustrating an example of problems 
solved by the present invention. 

Fig. 3 is a diagram which shows the operation of the interwork router of 
10 the present invention using a protocol stack. 

Fig. 4 is a flow chart indicating an ISP interworking method that uses a 
conventional router. 

Fig. 5 is a flow chart indicating the operation of the interwork router of 
the present invention. 
15 Fig. 6 is a flow chart indicating the operation of the interwork router of 

the present invention. 

Fig. 7 is a diagram which illustrates a method for connecting an MPLS 
network with an IP encapsulation network using a protocol stack in an 
embodiment of the present invention. 
20 Fig. 8 is a diagram which shows how an IP packet is converted to ATM 

cells according to RFC1483. 

Fig. 9 is a diagram which shows the format of IP packets according to 
RFC791. 

Fig. 10 is a diagram which shows the configuration of an IP tunnel 
25 packet according to RFC1853. ' 
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Fig. 1 1 is a block diagram of the interwork router of the present 
invention. 

Fig. 12 is a block diagram of a lower layer processing unit provided for 
the interwork router of the present invention. 
5 Fig. 13 is a diagram of a VPN number table for receiving, provided in 

the lower layer processing unit of the present invention. 

Fig. 14 is a block diagram of the lower layer processing unit provided in 
the interwork router of the present invention. 

Fig. 1 5 is a diagram of a VPN number table for receiving, provided in 
10 the lower layer processing unit of the present invention. 

Fig. 16 is a block diagram of a packet layer processing unit provided in 
the interwork router of the present invention. 

Fig. 17 is a diagram of a route retrieval table/VPN table provided in the 
packet layer processing unit of the present invention. 
15 Fig. 18 is a diagram of a header generating table provided in the lower 

layer processing unit of the present invention. - . 

Fig. 19 is a diagram of the header generating table provided in the 
lower layer processing unit of the present invention. 

Fig. 20 is a diagram showing an example of the interwork router in a 
20 network according to an embodiment of the present invention. 

Fig. 21 is a diagram showing an example of the interwork router in a 
network according to an embodiment of the present invention. 

Fig. 22 is a diagram showing an example of the interwork router in a 
network according to an embodiment of the present invention. 
25 Fig. 23 is a diagram showing an interface for directing the interwork 
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router from an NMS so as to set the tables in an embodiment of the present 
invention. 

DESCRIPTION OF THE PREFERRED EMBODIMENTS 
5 Hereunder, various embodiments of the present invention will be 

described with reference to the accompanying drawings. 

At first, a description will be made for how to compose a VPN over a 
plurality of ISPs, which are separated by a lower layer, respectively, according 
to the present invention, as well as the role of the interwork router of the 

10 present invention, with reference to Figs.1 and 2. A lower layer as mentioned 
here is a protocol for encapsulating the header of each IP packet. This 
capsule header will also be described as a header of the lower layer even 
when each IP packet is encapsulated according to the IP header. 

Hereunder, a description will be made of problems that will arise when 

15 a VPN is composed over a plurality of ISPs using a conventional router, with 
reference to Fig. 2. In Fig. 2, both ISP1 (2-1) and ISP2 (2-2) are interworking 
using a conventional router (9). The ISP1 and ISP2 are used to compose a 
VPN by encapsulating packets in a layer lower than the IP layer. The ISP1 
provides services in the area A and includes LAN (Local Area Network) 1 

20 (1-1), LAN2 (1-2), and LANa (1-a). The ISP2 provides services in the area B 
and includes LAN 3 (1-3), LAN4 (1-4), and LANb (1-b). LAN1 to LAN4 belong 
to company A, which is planning to compose a VPN over those LANs. Both 
LANa and LANb belong to company B, which is different from company A and 
which is also planning to compose a VPN over those LANs. In such a case, if 

25 an encapsulation channel is provided between an inlet and an outlet of a 
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network in the same ISP, packets of a specific user can be separated from 
packets of other users. A higher security network can thus be composed. 
However, if a VPN is to be composed over both ISP1 and ISP2, the 
conventional router terminates the lower layer at the interface on the input 
5 side and merges packets on the IP level, then executes the packet 

forwarding. And, this causes a problem in that packets from a plurality of 
users are mixed on the IP level. In other words, packets in a VPN are mixed 
with packets of other networks. Consequently, this makes it possible for 
malicious users to enter the network using false IP addresses. In addition, if 
10 two companies compose a LAN respectively using private addresses, each of 
those companies assigns its addresses independently. Thus, both of the 
companies might assign the same IP addresses. In such a case, the 
conventional router cannot transfer packets correctly due to conflict created 
by those addresses. 

15 Next, how the present invention will solve the above problems will be 

♦ 

described with reference to Fig. 1 . For example, assume now that the 
company A sends data from LAN1 to LAN3 of the same company A. In this 
embodiment, the ISP1 composes a VPN by encapsulating IP packets and the 
ISP2 composes a VPN by encapsulating packets in a MPLS network, which 

20 uses the ATM. Packets received by the ISP1 (2-1 ) from LAN1 are 

encapsulated as IP packets by the ISP1 , and then they are received by the 
interwork router through the IP encapsulation logical channel (5-1). The 
interwork router (10) retrieves the output route from both of the IP-capsule 
header, indicating the IP encapsulation logical channel through which the 

25 object packet is received, and the header of the original packet, and then 

« 
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creates a new capsule header for the packet, which is to be used in the ISP2. 
In this embodiment, since the ISP2 provides services using MPLS, the 
interwork router creates an ATM header for the packet. Packets 
encapsulated by ATM are then transferred to LAN3 through the ATM logical 
5 channel (5-3). Since the interwork router retrieves the output route from both 
capsule header and IP header, it can transfer packets to the correct 
addresses even when both companies A and B use private addresses and a 
conflict occurs between IP addresses. 

Although a description has been made of two encapsulating methods 

10 as encapsulating protocols in this embodiment, that is, IP encapsulation, 
which is an encapsulation method for the IP layer and ATM encapsulation, 
frame relay and HDLC protocols may also be used for such encapsulation. 

Next, a description will be made of an embodiment of the present 
invention for a method of composing a VPN over a plurality of ISPs using a 

15 network configuration and a protocol stack, with reference to Fig. 3. Any 
encapsulation protocol may be used in this embodiment. The ISP1 (2-1) is 
connected to LAN1 (1-1) and LAN2 (1-2) via edge nodes (3-1 and 3-2) 
respectively. In the same way, the ISP2 (2-2) is connected to a plurality of 
networks including LAN3 (1-3) and LAN4(1-4) via edge nodes (3-3 and 3-4), 

20 respectively. Each of those ISPs encapsulates each of the IP packets using 
the header used inside the network between the inlet and the outlet of the 
network. Since the ISP assigns a capsule header to each of those IP packets 
uniquely to the subject VPN, the VPN traffic is identified among other traffic 
on the network, thereby enabling the VPN network to be a closed network. 

25 Both ISP1 (2-1) and ISP2 (2-2) interwork using the interwork router (10), thus 
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the packets to the destination network are transferred via the interwork router 
(10). 

For example, if a VPN (VPN1 in this case) connects both LAN1 and 

i 

LAN2, each of the IP packets sent from LAN1 to LAN3 is retrieved according 
5 to the IP address at the edge node (3-1). At first, the packet is recognized to 
be addressed to the interwork router belonging to the VPN1 , then a capsule 
header (103a) is added so that the packet is addressed to the interwork router 
belonging to the VPN1 . The packet can thus be received correctly by the 
interwork router (10). The interwork router (10) retrieves the packet according 

10 to the capsule header (103a) and the IP address of each packet so as to be 
recognized as a packet addressed to the edge node (3-3) of the VPN1 . Then, 
a capsule header (103b) is added to the packet so that it is addressed to the 
edge node (3-3) in the ISP2. The packet is thus transferred to the edge node 
(3-3) in the ISP2 according to the capsule header information. At the edge 

15 node (3-3), the capsule header is removed from the packet. The packet is 
then transferred to LAN3. Consequently, IP packets can be transferred in the 
VPN composed over the two networks so as to be prevented from mixing with 
packets belonging to other traffic. 

IP packets, when they use global addresses, can be transferred just 

20 like they are transferred in the conventional networks, if both the destination 
(when capsule headers are used) and the capsule header of each packet are 
considered together without depending on the lower layer information. 

Next, the operation of the interwork router (10) will be described with 
reference to Figs. 4 to 6. Fig.4 shows a processing flow of a conventional 

25 router. Figs. 5 and 6 show processing flows of the interwork router (1 0) of the 
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present invention. The conventional router, when receiving packets, 
terminates the physical layer (step 201 ) used for transferring the packets in 
the ISP1 (2-1 ) and removes the capsule header used for the transfer 

4 

operation in the ISP1 from each of those packets (step 202), and then it 
5 retrieves the route to the next network according to the value in the IP header 
of the packet (step 203). Then, the conventional router transfers the packets 
along the desired route via a switch (step 204). After that, the conventional 

router adds a capsule header to each of those packets used for the transfer 

> 

operation in the ISP2 (step 205), and then it executes a processing for the 

10 physical layer (step 206) so as to output the packets from the transmission 
path. In this processing flow, since the capsule header of each packet used 
in the transfer operation in the ISP1 is removed and the route to the next ISP 
is determined only with the IP header of the packet, the traffic of a plurality of 
VPNs are merged once. 

15 According to the interwork router of the present invention, however, 

such the problem can be avoided. 

Fig. 5 shows an algorithm executed by the interwork router (10) of the 
present invention. According to the algorithm, if a packet arrives, the 
interwork router (10) terminates the physical layer used for the transfer 

20 operation in the ISP1 (2-1 ) (step 21 1 ), and then it retrieves the route to the 

ISP2 according to the capsule header and the IP header of the packet used in 
the transfer operation in the ISP1 , thereby generating a new capsule header 
for the packet to be used in the ISP2 (step 212). After that, the router 
replaces the capsule header used in the ISP1 with the new capsule header 

25 (step 213), to be used in the transfer operation in the ISP2 (step 214), and 
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then it transfers the packet to the switch. The packet is thus transferred by 
the switch into the desired route (step 215). After that, the router executes a 
processing for the physical layer (step 21 6) to output the packet from the 
transmission path. Consequently, the packet traffic can be separated from 
5 the traffic of other networks. In addition, since naked IP packets from which 
the capsule header is removed are never supplied to the switch, no other 
invalid users can insert packets in the VPN from this switch. In other words, it 
is impossible for invalid IP packets, which are not provided with an internal 
header used in the ISP2 respectively, are to be mixed with valid IP packets in 

10 the ISP2. Consequently, the security of the network is significantly improved. 

Next, another embodiment of the present invention will be described 
with reference to Fig. 6. The interwork router in this embodiment is provided 
with a table of correspondence between a set of capsule headers and IP 
header values used for the transfer operation in the ISP1 and capsule header 

15 indexes, as well as a table of correspondence between capsule header 

indexes and the capsule headers used for the transfer operation in the ISP2. 
The interwork router in this embodiment, if it receives a packet, terminates the 
physical layer used for the transfer operation in the ISP1 (2-1) (step 221). 
Then, the interwork router retrieves the route to the ISP2 according to the 

20 capsule header and the IP header of the packet, used for the transfer 

operation in the ISP1 , and then it generates a capsule header index for the 
packet (step 222). After that, the router removes the capsule header used in 
the ISP1 from the IP packet and adds the generated capsule header index to 
the IP packet (step 223), and then it transfers the packet to the switch. The 

25 switch then transfers the IP packet into the determined route (step 224). 
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Then, the router generates a capsule header to be added to the packet from 
the capsule header index (step 225). The generated capsule header is used 
in the transfer operation in the ISP2. The router then executes a processing 
for the physical layer (step 226) to output the IP packet from the transmission 
5 path. This interwork router configuration can also form a closed network with 
a high security just like that in the configuration shown in Fig. 5. In other 
words, no invalid IP packet provided with no capsule header index is mixed 
with valid IP packets in the subject VPN. 

Next, a description will be made as to how to compose a VPN over 

10 both the ISP1 for supporting the VPN using the MPLS method and the ISP2 
for supporting the VPN using IP capsules, as well as an example of a packet 
configuration, with reference to Figs. 7 to 10. 

Fig. 7 shows an example of a network configuration and protocol 
stacks. Although no encapsulation method is defined specially in the 

15 description with reference to Fig. 3, Fig. 7 shows an embodiment in which the 
ISP1 employs the MPLS method and the ISP2 employs an IP encapsulation 
method. The interwork router (10) forwards packets by using a combination 
of the ATM layer (104a), which is equivalent to a capsule header just like in 
Fig. 3, with the IP layer (101) and a combination of the IP capsule layer 

20 (104b) with the IP layer (101). Consequently, the router (10) can forward 
packets correctly even when addresses are duplicated due to the private 
addresses used by each of the VPNs. 

Hereunder, a method of encapsulating IP packets in an ATM will be 
described with reference to Fig. 8. This encapsulation is standardized by 

25 RFC1483of IETF. At first, an LLC/SNAP (Logical Link Control/Subnetwork 
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Attachment Point) (253) is added to each IP packet comprising an IP header 
(250) and an IP payload (251), then an AAL (ATM Adaptation Layer) 5 header 
(252) and an AAL5 trailer (255) are added to the IP packet, thereby 
composing an AAL5 frame. A PAD (254) is then inserted in the AAL5 frame 
5 so as to make the AAL5 frame become a constant multiple of 48 octets, 
which is the length of the ATM cell payload (257). This AAL5 trailer is then 
divided into ATM cells in units of 48 octets and an ATM header (256) is added 
to each of the divided ATM cells. The IP packet is thus transferred as one or 
a plurality of ATM cells. 
10 Fig. 9 shows the IPv (Internet Protocol Version) 4 packet format 

indicated by RFC (Request for Comments) 791 . When encapsulating an IP 
packet, the encapsulation protocol uses the Ipv4 header as is. The 
conventional Ipv4 router in the subject network can also be used as the 
router. 

15 Fig. 10 shows a method of encapsulation by the IP tunnel indicated by 

RFC 1853. This method encapsulates each IP packet comprising an IP 
header (260) and an IP payload (261) transferred from a user according to 
the capsule header (264). This capsule header comprises an IP header (262) 
and a tunnel header (263). This capsule header is used in the ISP2 and it 

20 can be identified uniquely in the subject network. Consequently, even when 
the subject user uses a private address, each IP packet is routed using the 
capsule header in the network. The IP packet can thus be transferred to the 
desired edge node. In this embodiment, a tunnel header generated by 
RFC1583 is taken as an example, but GRE (Generic Routing Encapsulation) 

25 encapsulation (RFC1792), IP mobile, and other methods may also be used 
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for encapsulating IP packets. 

The interwork router (10) combines the capsule header of each packet 
shown in Figs. 8 and 10 with the IP address of the user for forwarding the IP 
packet. Thus, the VPN can be composed with a high security over a plurality 
5 of ISPs. The user can also use private addresses so as to compose such a 
VPN. 

Next, an embodiment of the interwork router (10) will be described with 
reference to Figs. 1 1 to 19. 

Fig. 1 1 shows a configuration of the interwork router (10). The control 

10 unit (50) is used for controlling the whole router (10) and for routing packets to 
other nodes. The core switch (51 ) is a switch for transferring packets 
between packet layer processing units (52). The lower layer processing unit 
(ATM) (53) is an interface for connecting to the MPLS network of the ISP1 , 
and the lower layer processing unit (IP capsule) (54) is an interface for 

15 connecting to the IP capsule network of the ISP2. The packet layer 

processing unit (52) receives both lower layer information and each IP packet 
from the lower layer processing units (53 and 54) and determines the 
destination of the packets according to the combination of the lower layer 
information and the header information of the IP packet. 

20 At first, the flow of the receiving processing will be described. Fig. 12 

shows a block diagram of the lower layer processing unit (ATM) (53). For the 
signal received from the ISP1 network, the physical layer is terminated at the 
physical layer processing unit (150), then the ATM layer is terminated at the 
ATM layer processing unit (151 ). At this time, the ATM header used to 

25 identify the VPN for receiving is also transferred to the VPN number adding 
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unit (1 52) together with the recomposed IP packet. The VPN number adding 
unit (152) generates a VPN number which is used to identify the object VPN 
in the router from the ATM header of the IP packet. At this time, the VPN 
number table for receiving (1 53) is used. This VPN number and the IP packet 
5 are then transferred together to the packet layer processing unit via the 
packet processing unit IF (154). 

Fig. 13 shows a configuration of the VPN number table for receiving 
(1 53). This table (1 53) comprises pairs of the ATM header in input side (300) 
and the VPN number in input side (303). The ATM header on the input side 

10 is used as an input key for outputting a VPN number on the input side (303). 
In addition to the VPI/VCI (Virtual Path IdentifierA/irtual Channel Identifier) 
(301), the ATM header on the input side used as an input key may also be the 
CLP (Cell of Priority) bit (302) indicating the priority of the packet transfer. In 
addition to the internal VPN number (304), the field of the internal VPN 

15 number on the input side may also be provided with another field (305) for the 
QoS (Quality of Service). A table for mapping CLP and QoS may also be 
provided independently of this table for identifying each of the VPNs. 

Fig. 14 shows a block diagram of the lower layer processing unit (IP 
capsulation) (54). For the signal received from the ISP2, the physical layer is 

20 terminated at the physical layer processing unit (170), and then the capsule 
header is terminated at the capsule layer receiving processing unit (171). At 
this time, the terminated capsule header is transferred together with the IP 
packet to the VPN number adding unit (1 72). The VPN number adding unit 
(172) generates a VPN number used to identify respective internal VPNs from 

25 the ATM header. At this time, the VPN number table for receiving (1 73) is 
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used. This VPN number and the IP packet are transferred to the packet layer 
processing unit via the packet processing unit IF (Interface) (154). 

Fig. 1 5 shows a configuration of the VPN number table for receiving 
(153). This table comprises pairs of the capsule header on the input side 

5 (310) and the VPN number on the input side (303). The ATM header on the 
input side is used as an input key for outputting the VPN number on the input 
side (303). In addition to the source address (31 1 ) of the capsule header, the 
IP capsule header on the input side used as an input key may also be the 
TOS (Type of Service) field (302) for a packet transfer priority. And, in 

10 addition to the internal VPN number (304), the internal VPN number on the 
input side may also be provided with a field (305) indicating the QoS. 

In addition, another table for mapping both ToS and QoS may be 
provided so as to identify VPNs independently of this table. 

Next, a description will be made of a processing executed when an 

15 VPN number on the input side (303) and an IP packet arrive at the packet 
layer processing unit (52) using the method described with reference to 
Figs. 12 to 15. Fig. 16 will be referenced for this description. Receiving the 
VPN number on the input side (304) and the IP packet through the lower layer 
processing unit (180), the route retrieval tableA/PN table (181) retrieves the 

20 route to the next network according to the keys (IP header and VPN number 
on the input side) using the route retrieval tableA/PN table (182) and 
determines a VPN number on the output side. Consequently, the output 
route, the VPN number on the output side, and the IP packet are transferred 
to the core switch via the core switch IF, and then they are received by the 

25 desired packet layer processing unit. 
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Fig. 17 shows a configuration of the route retrieval table/VPN table 
(182). Both the VPN number on the input side (320) and the IP header (323) 
are used as keys for retrieval processing so as to output both output route 
number (325) and the capsule number on the output side (326). The output 

5 route number (326) is an internal identifier used to transfer packets to a 
desired interface via both a core switch and other devices. The capsule 
number on the output side (326) is an internal identifier used to add a capsule 
header to each packet in the lower layer processing unit. The capsule 
number on the output side (326) may also be provided with a QoS (328) in 

10 addition to the capsule number (327) so as to control transfer priorities. 

The operation of the packet layer processing unit (52) illustrated in Fig. 
1 1 will be as follows with respect to a decision as to a transmission direction, 
as shown in Fig. 16. Receiving both a capsule number on the output side 
(326) and an IP packet via the core switch IF (1 84), the packet layer 

15 processing unit 52 transfers these information items to the lower layer 
processing units (53 and 54) illustrated in Fig. 11 through the lower layer 
processing unit IF. 

The operation of the lower layer processing unit (ATM) (53) will be as 
shown in Fig. 12. The lower layer processing unit (ATM) (53) receives both 

20 the capsule number on the output side (326) and IP packet from the packet 
layer processing unit (52) via the packet layer processing unit IF (159). Then, 
the ATM header deciding unit (157) generates an ATM header corresponding 
to the capsule header from the capsule number on the output side (326) with 
reference to the header generating table (158). The ATM header generated 

25 in such a way and the IP packet are converted into ATM cells in the ATM 
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layer transmission processing unit (156), and then the ATM cells are 
transferred to the ISP1 network via the physical layer transmission processing 
unit (155). 

Fig. 18 shows a configuration of the header generating table. The 
5 header generating table outputs an ATM header on the output side according 
to each capsule number on the output side used as a key. The object ATM 
header on the output side can thus be obtained from the capsule number on 
the output side. 

In the same way, the operation of the lower layer processing unit (IP 
10 capsule) (54) will be as shown in Fig. 14. The lower layer processing unit (IP 
capsule) (54) receives both a capsule number on the output side (326) and an 
IP packet from the packet layer processing unit (52) illustrated in Fig. 1 1 via 
the packet layer processing unit IF (159). Then, the capsule header deciding 
unit (177) illustrated in Fig. 14 generates an IP capsule header corresponding 
15 to the capsule header and a MAC address on the output side from the 
capsule number on the output side (326) with reference to the header 
generating table (178) illustrated in Fig. 14. The IP capsule header and the 
MAC (Media Access Control) address on the output side generated in such a 
way, as well as the IP packet, are encapsulated in the capsule layer 
20 transmission processing unit (1 76), and then they are transmitted to the ISP1 
network via the physical layer transmission processing unit (175) illustrated in 
Fig. 14. 

Fig. 19 shows a configuration of the header generating table (178). 
The header generating table outputs both an IP capsule header on the output 
25 side and a MAC address on the output side according to each capsule 
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number on the output side used as a key. 

This completes the description of the configuration of the interwork 
router. In this embodiment, an VPN number on the input side (320) and a 
capsule number on the output side (326) that are unified in the router are 
5 used for each processing on the input side and output side. However, a 
capsule header on the input side may be used as an input key of the route 
retrieval table/VPN table and a capsule header on the output side may be 
generated directly as an output. 

The tables shown in this embodiment are all logical tables. It is thus 

10 possible to employ a table retrieval method, which retrieves an address using 
a retrieval algorithm represented by a tree hierarchy, thereby obtaining a 
desired output, as well as to employ a CAM (Channel Access Method) 
configuration and a sequential table retrieval method. 

Fig. 23 shows a configuration of an MIB (Management Information 

15 Base), which is an interface for outputting commands from an NMS to the 
interwork router, and an agent is mounted in the control unit 50 so as to set 
the tables in this embodiment. The capsule header entry on the input side 
(500) is an MIB for setting the VPN table for receiving, as shown in Fig. 13. In 
the same way, the VPN cross connector entry (501 ) is an MIB for setting the 

20 route retrieval tableA/PN table (182) shown in Fig. 17. In the same way, the 
capsule header entry on the output side (502) indicates a configuration of the 
header generating table. The information set in those MIBs is set by the NMS 
for the control unit (50), and then it is set by the control unit (50) in each unit 
of the interwork router. 

25 So far, a description has been made mainly for a configuration of the 
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interwork router used for a plurality of VPNs. Hereunder, how such an 
interwork router will be used in a network will be described with reference to 
Figs. 20 to 22. 

Fig. 20 shows an example of connecting two ISPs to each other via 
5 two interwork routers belonging to those two ISPs. Each of those two VPNs 
is identified according to the header of each packet transferred between 
those two interwork routers. Each of the interwork routers (10a and 10b) 
determines the route of packets according to the combination of a capsule 
header (103a, 103b, or 103c) and an IP address as described with reference 

10 to Figs.1 through 19. 

Fig. 21 shows an example of connecting two ISPs to each other via an 
IX used for layer 3 processing. Each of those two ISPs is provided with an 
interwork router. Each VPN is identified between each interwork router and 
the IX according to the capsule header of each packet (103b). Each of the 

15 interwork router (10a), the IX (10c), and the interwork router (10b) forwards 
each packet according to the combination of the capsule header (103a, 103b, 
or 103c) and the IP address as described with reference to Figs.1 through 19. 

Fig. 22 shows an example of connecting two ISPs to each other via an 
IX. Each of those two ISPs is connected to an interwork router. The IX in this 

20 example is composed of a layer 2 unit, which does not execute layer 3 

processing. Also in this case, each VPN is identified between each interwork 
router and the IX according to the capsule header of each packet (103b). 
Each of the interwork routers (10a and 10b) forwards each packet according 
to the combination of the capsule header (103a, 103b, or 103c) and the IP 

25 address, as described with reference to Figs.1 through 19. The IX transfers 
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packets through layer 2 forwarding processing? 

Although a description has been made as to how to connect a VPN 
over a plurality of ISPs, such a VPN connection is also needed for the same 
node configuration even when a plurality of encapsulation areas exist in the 
same ISP. In such a case, the VPN can be connected to those ISPs using 
the method of the present invention. 

According to the present invention, therefore, a VPN network can be 
composed over a plurality of ISPs as described above. In addition, QoS 
information can be interworked among a plurality of VPN networks. 

Although the present invention has been described in connection with 
a preferred embodiment thereof, many other variations and modifications will 
be apparent to those skilled in the art. 
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